Search

Subscribe

Al Qaeda Steganography

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie.

Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than 100 al Qaeda documents that included an inside track on some of the terror group's most audacious plots and a road map for future operations.

hmm i'm wondering, if i put those sensible documents through steganografy, shouldn't be best to hide them spreaded on many different "movies" rather than just one ?
shouldn't be best to crypt them too ?

How is it that someone sophisticated enough to use steganography could choose an encryption key that could be broken? Does steganography make it more difficult to use a large key? Am I missing something?

kinda pointless to bury steg at the bottom of a pile of encryption - defeats the whole "look over there!" aspect of slipping your secrets inside something mundane when you make it obvious there's something worth finding

Bruce, you always put the argument that the DHS hasn't ever caught a single terrorist. But who knows how many terrorist attacks were prevented because the terrorists saw they didn't have a chance, so they didn't even try? Your argument doesn't prove the DHS is ineffective.

A better question is why use stego at all? If you see an Arab man (who is already on a watch list) coming through a checkpoint and later discover he has a flash drive filled with porn in his underwear, a pretty logical conclusion is that the porn is being used for stego. Surely this suspected terrorist knew that the porn files would raise suspicion? If so, why weren't better measures taken to protect the files? Surely they know that stego by itself will only protect you from inept foes.

This leads to a few possibilities:

1) The Al Quaeda members are idiots (not discounting this, as there is nothing special intellectually about most terrorists -- they are essentially people without lives).

2) They did encrypt but used weak passwords.

3) NSA and its foreign allies have a way to crack strong crypto regardless of password entropy.

4) The files themselves were meant to throw TLA's off the trail of a real operation (this implies smart terrorists, which most of them are not).

5) This whole story is a fabrication put out by some intelligence agency as some sort of misdirection campaign. (This type of thing happens all the time -- more than most people suspect. The media is a powerful weapon for the TLA's).

I tend to think #5 is the most likely scenario. Why would the intelligence agencies publish details on such an operation? It doesn't make much sense that they would give away sensitive operational details like this. So, I am inclined to believe, until more information comes along, that this whole story was manufactured for some reason that those of us without TS/SCI clearance will never know. Of course, it's possible the story is partially correct, but there are kernels of misdirection in there as well.

In the early 2000's, a completely unsubstantiated claim was promulgated in newspapers that claimed that terrorists were sending steganographic messages through forum avatar images. That was always absurd because there was 1. no evidence at all for that taking place and 2. the method that the news reported was completely infeasible. It was functionally the same as an urban myth.

What could've happened is that Al-Qaeda, while watching Western news and reading newspapers to see what was being reported (as a means of conducting their own intelligence operations) saw that news story and said "Hey, wait a minute, that's actually a really good idea" and then started doing it themselves for real.

If you wanted to use stego to spread your secret plans to all your loose affiliates by sticking them in internet porn, I get it. But if you're going to use something as sophisticated and fragile as steganography, why stick the files on portable storage and hand carry them in your underwear? On the other hand, if you're going to carry secret files on hidden physical storage in your underwear, why not just use GPG?

The only two explanations I can come up with is that this is fake or, as Rob Slade noted, "Steganography" means they hid their poorly encrypted files in a file named "VTS_02_4.VOB" on the disk.

You're assuming a lot to say that this means the US NSA/CIA/DHS are incompetent.

I would argue that this means that this man (and the data) were of higher interest to the German agency than to various US agencies. Competence or ROI is a different question, requiring much more information.

Perhaps the file contained nothing but a porn movie, the government steganographically planted a fictional Al Qaeda ops document in the file, then "found" the document.

How do we know this didn't happen? Easy. Germany, please post the porn file containing the alleged steganography, so we can verify Al Qaeda's digital signature on the file. Al Qaeda, please post your public key certificate (signed by a reputable certificate authority). Any mismatch, and we'll know where the culpability lies.

The linked article says "after laborious efforts to crack a password and software to make the file almost invisible". So it explicitly claims a password.

The article doesn't contain the word "steganography", and doesn't say anything more explicit than the "make the file almost invisible" quoted above. That could be an error (actual steganography makes the data almost invisible inside the file), or perhaps there were other attempts to hide the file involved.

Carrying the memory stick in such a way as to indicate you were hiding it seems like bad "tradecraft", but what do I know?

Pornography may not be that bad a choice; it's the sort of thing that while frowned on a lot of places, is quite popular, so it's the sort of thing a lot of people would hide, and would be nervous about. They can't take the time to really closely examine all pornography found at border crossings!

a) They went to the trouble to use stego to hide the documents;
then
b) Hid the USB key in his underwear, which is just makes a mockery of the whole point of hiding secrets in plain sight. "Here, these files, yeah these...you should pay attention to this right here!"
and
c) It took 19 comments on a security forum before anyone mentioned it.

Bonus points however to Ty for the idea of hiding explosives in cocaine. Exactly.

>They can't take the time to really
>closely examine all pornography found at
>border crossings!

My guess is they have a really big collection of hashes ... that's how they catch most kiddie porn crossing the 'net and national borders. Yeah, I know it's still time consuming but it's automated.

While the hashes are used to compare files irregardless of name, that the file doesn't match a known hash for Ron Jeremy and his 40 Virgins would raise one red flag that the file may not be a movie, or may have stego going on.

I bet what really happened is that flash drive was formatted as FAT32 and the bad guy set the "System" and "Hidden" attributes for his eeeevil file (and gave it an innocuous name for good measure).

The brilliant investigators used some turnkey tool which pointed out the "Hidden" file to them, and after a lot of poking and prodding they eventually figured out what file format it was in and decoded it. (It was probably a .ZIP file or something, and they had to brute-force a pathetically weak password made of non-ASCII characters in order to view the contents.)

As I understand it, the movies were hidden files in hidden folders. Darwin is at work here, because if they had an ounce of intelligence (sic), they would have encrypted the data, then inserted them steganographically into a bunch of 3 Stooges or WC Fields movies in plain sight!

Hiding in plain site!! Pornography is a good time pass for one and all. Nothing bad if watched within the scope of law of the land. But its a serious offense in few regions, ISPs are being ordered by govts. to block offensive materials. Terrorist criminals might use this as a medium to hide their important documents due to two reasons (one for real hiding and other to enjoy the plain sight) :

1) Most of the search officials will take it as normal pornography unless they steganalyse it.

2) The surveys reveal that pornography is a good stimulating agent in virtual sex act. While on their so-called fidayeen (killing) - missions terrorist criminals have to control/fulfill three basic needs; hunger, sleep, sex. The sex simulation with pornography is also a stress relieving tool.

Its truly mentioned in the scriptures of all regions that illicit sex is wrongful. GOD made SEX for LOVE, but DOGs used it for hatred...

1) I agree with those above who say hiding the flash card drew attention to it. But I also agree one could plausibly say it was being hidden because it contained porn. Would someone of the courier's ethnic and religious background, carrying material like that, hide it or reveal it?
2) If the movie file was remotely known, a comparison between the file on the flash and a known "clean" copy of the file would reveal something had likely been altered. But I would be surprised if it were original, custom material :)

Aside from the lack of encryption, I'm not sure that this doesn't reveal some sophistication on al Qaeda's part, overall--it just wasn't enough. And they might not have encrypted if they'd determined that stegging encrypted data wouldn't make it more obvious in the file.

5) This whole story is a fabrication put out by some intelligence agency as some sort of misdirection campaign. (This type of thing happens all the time -- more than most people suspect. The media is a powerful weapon for the TLA's).

Hmm you did not go the extra step to option six...

Instead of "intelligence agency" and "TLA" use "Terrorist organisation".

As I've noted before "Cpl. Hotfoot" "Cpt. Thunderpants" and the "toner cartridge duo" are terrorist attacks designed to fail as physical attacks but succeed as publicity attacks and a reminder that the "bogie man" is still out there.

They have the advantage of keeping the taps flowing on funding, whilst also waving a flag to attract people to the cause, as well as making the US and other countries security forces run around and their respective politicos destroying their economies and represing their people. A nice Win-Win for the Terrorists Organisation, the security forces and their political masters...

Ask yourself what has the terrorist organisation lost?

Absolutly nothing apart from a supposed courier who could well been a patsy set up to fall. From what has been reported (and that's next to nil) the documents were either low level intel you could put together from the Internet or "hey how about this" fantasy planning ideas along the lines of a security theater contest...

With regards your fourth option, you almost got it ;-) but with any "disinformation operation" there does not need to be another operation to cover up.

For who ever set this up (and I'm thinking it is definatly some kind of setup) this has done realy quite nicely on it's own just in time for the aniversary of OBL's death. The "porn" angle ties in nicely with what was supposadly found in the OBL's compound in Pakistan and the stego aspect is one of those long running "Oh My God" things that has also been around for a long time.

The story is "to pat" and that is a big big question mark. OBL has been dead for a year, and this style of terrorists communications method was clerly highlighted at the time. So ask yourself the question why have they not changed it as it would obviously be a "red flag" for even the TSA?

Oh and why were the documents so quickly recovered?

Even with the level of distrust they (supposadly) may have for "things western" we have good reason to believe that OBL's organisation had strong links to people within the Pakistani Intelligence Service (ISI) and thus secure comms to a much higher level would have been well known to the ISI personnel and thus to OBL & Co...

@ Bruce,

The reports are still early, but it seems that a bunch of terrorist planning documents were found bunch of terrorist planning documents were found embedded in a digital file of a porn movie

I've had a little dig around and although there are lots of "Oh My God" reports, they all appear to go back to the one investigative journalists article in the German weekly newspaper.

Now the original German article actually does not appear to say a lot (as far as my poor understanding of German alows ;) but it appears certainly on the technical asspects to be a good deal less than has been subsiquently reported.

The story appears to be developing a "life of it's own" like any good "Chinese whisper" and is certainly making the journolists name well known around the world (which won't hurt sales of his book). However I would have a look into his track record on middle east terrorist organisation stories to see what the independant and verifiable facts behind them are.

So I'd remain "firmly sceptical" unless a good deal more corroborating information from other independent sources comes to light.

@bleah
"I bet what really happened is that flash drive was formatted as FAT32 and the bad guy set the "System" and "Hidden" attributes for his eeeevil file (and gave it an innocuous name for good measure)."

Or, they deleted the file. The special retrieval software was an "undelete" program.

Which allows for the possibility that this was a cock up and the original owner of the flash thought the file was gone.

> Encryption before steg makes it harder to do
> good steg, and easier to detect. Stuff that's too
> random sticks out like a sore thumb.

I can't offhand think of any theoretical reason why this should be true (and quite a lot of reasons why it is false). On the other hand, it could be true if the stego algorithm(s) are themselves bad --- is that what you meant?

Encryption before steg makes it harder to do good steg, and easier to detect. Stuff that's too random sticks out like a sore thumb

Take a whole rgb snapshot then compare the light(hue) fluctuation, as encryption would have large difference say 0x31 ->0xff

These problems are trivialy solved with a tailored expansion / inflation algorithm that adds "tailored redundancy".

A very simple example would be take your encrypted output and break it into small blocks of 4-6 bits. To each value in the small block set assign one or more blocks of 8-16 bits.

You asign the bit range and number of large bit blocks to your small bit blocks to match the desired distrubution you require. You likewise select the individual large blocks to reflect other "trends" that change with time etc.

This has been known about and used since atleast WWII where the output of a "number one time pad" was then "remapped" to give a frequency distribution similar to that of other ciphers in use, so that the enemy could not easily tell OTP traffic from the weak "poem cipher" traffic or "dummy traffic" and thus could not use it for traffic analysis and it would also have the consiquence of tying up enemy cryptographers which were a very scarce resource.

The reported wording does not rule out an encrypted archive that was renamed to a movie file, possibly with a credible movie header added. This also hides the files inside a movie file, but allows documents and folders to be hidden. Note that the article mentions a lot of material, so the amount of data is bound to be larger than what is achievable with steganography on two movie files.

the challenge is to pass two border controls, with different objectives

The subject has to get out of the country. Rules there are severe for porn, adultry etc. maybe care less about bomb makign plans and stuff.
Encryption won't save you: you are not allowed to use it or present the key.
Solution: have a microsd card and hide it (the level of inspection needed to find that ...).
Get in to US:
- try a: hide from scanners (invasiveness of search applies, but(t) ...)
- try b: encrypt it just in case and as a decoy: the pron is homemade with a maried wife and she will be killed if my country found it => plausible reason, agent feels sorry for the guy
- try c: actual data is hidden - the tricky part ( a truecrypt multi-key solution is what this lot here would use, i assume)

Failing all three ... score 0
But don't laugh with the plan (though I admit laughing with the bomb in drugs, 10/10)

Good stego is very effective, since it is very difficult to detect. If you believe otherwise, show me the math, since you have a major breakthrough on your hands

It all depends on what you mean by "good stego", it is usually possible to detect possible/probable stego because it's signiture does not match the signiture of the carrier sufficiently well, and it produces anomalies or artifacts which you can detect. However detecting the artifacts will not of necessity get you sufficient information to say positivly it's present or sufficient information to reveal what has been hidden.

I made comment on this the other day when this subject was first brought up,

Good Stego means that you don't try to stuff too much hidden data into the carrier file. In this case they used movie files which contains a lot of pictures where you can store data in the lowest color bit. I don't have the numbers in my head but you can store Kbytes of data in a ordinary jpeg picture, and most people will not notice unless you know what you are looking for.

Hard to detect means that it is very difficult for the human eye or ear to detect that there are hidden information in the carrier movie, picture, or sound. If You know what you are looking for, and crypto folk usually have a hunch, it is quite possible, given a large amount of data, to find out that there are hidden information. Now, when you have found out that there is hidden data, and where it is, you have to find out how it was stored there. Even if they used no encryption as such, it can be a very large undertaking to find how the files were encoded.

My guess is that if intelligence services get there hands on pictures, movies, songs from suspected criminals, they routinely check for stego.

The thing that's really suspicious is that the story appeared at all, as far as I know an intelligence agancy would never willingly publish any information about a high value find.
The list of retrieved documents makes me think either:
a) Some sort of misdirection attempt based on a true arrest where no docs were actually retreived.
b) A hypotetical scenario to get people like us to provide free consultancy :-)

"Bruce, you always put the argument that the DHS hasn't ever caught a single terrorist. But who knows how many terrorist attacks were prevented because the terrorists saw they didn't have a chance, so they didn't even try? Your argument doesn't prove the DHS is ineffective."

Yes, I suppose it is possible that terrorists have said: "Wow, the TSA has implemented full-body scanners. We need to abandon our plot and go get real jobs now." Instead of, say, bombing something else.

From the Zeit article I deduce the hiding was rather incompetently done. It is still possible that authorities would not have found anything if they had not been given rather strong hints that something worthwhile having was in there.

The claims to the quality of the material is the usual posturing by German law enforcement. They quite often (and desperately) try to blow things out of proportion because they are so pathetically incompetent with regard to anything that has to do with computers or the Internet.

That is not to say the material is not genuine. But from the Zeit article I strongly suspect they do not know either way at this time.

The story stinks. You've all mentioned the good points (technical incompetence above all, stupid behaviour) and guess what, the journalist who writes about the story is known to pimp up his stories with "insider knowledge" on "the evil terrorists"..

The story stinks... ...and guess what, the journalist who writes about the story is known to pimp up his stories with "insider knowledge" on "the evil terrorists".

I would agree with your first point, and infact I'm not even sure there actualy is a story at all, as there appears to be little or no supporting evidence from other journalists and as I noted above the story appears to be based on next to nothing that is verifiable or rumours that have done the rounds a number of times including a year ago when OBL was killed.

However your second point "pimping" may be a little strong, it's difficult to tell.

Supposadly he is an expert in the field, but then most of the so called experts the US Gov etc have used in court etc turn out to be "web site readers" not actual investigators testing and evaluating the accuracy of each item against multiple independent sources etc.

As I noted above my German is far from what it could be, but I have my doubts which is why I advised Bruce to look into the journalists other articles and book.

And I'll repeate what I concluded,

So I'd remain "firmly sceptical" unless a good deal more corroborating information from other independent sources comes to light.

That is what he may be saying is true, but I've no way currently of verifying it, and I would be loath to draw any conclusions as both sides of this "great game" are resorting to "smoke and mirrors" and "faux action". And as I noted above this story has many of the hallmarks of a "disinformation operation" that either side would benifit from greatly.

There are plenty of sound reasons to use steganography and many steg tools and methods to choose from. The rationale for particular choices vary and include trickery and misdirection.
The fun of investigating this matter would be in determining where the REAL interesting data was hidden, once the easily discovered data is handed off to the analysts.
No sense criticizing any of this from such a distance.

I didn't explain it right, its not frequency distribution. You get a overall light value(for sun,cloudy day) and then you check one pixel to the next and see if theres a large jump in light If they used alphanumeric encryption, which the text is in, and just use say uppercase the light values wont jump from dark to light. Most if no all encryption has uneven mapping

What you are describing is a numeric range and rate of change which my previously described method solves as well.

Overly simplisticaly the "small bit size blocks" set is small and only has 16 members for a 4bit block size from the original ciphertext. These 16 members map into 256 or more members of the "large bit size blocks" which actually get embedded in the carrier file. Thus you get the redundancy to select more than one value for each small bit size block from the ciphertext.

The first thing you do is analyses the carrier file to get the required "range" distribution you then make the map to translate the small blocks to the large blocks to match this distribution.

Overly simplisticaly each of the 16 members of the cipher text set would have a minimum of 4 of the 256 carrier file blocks asigned to it. Importantly these would be spread across the range values not given adjacent values. Thus the actual value of the carrier file block used to represent the ciphertext block would be selected by examining the carrier file pixel values adjacent to the one selected to hide the ciphertext block. There are a number of ways you could do this but again overly simplisticaly you could use a running low pass filter with the window covering the previous six pixels and next pixel with appropriate weighting. The value selected from those that map to the cihpertext value would be the one closest to the output from the low pass filter.

You could look on the process in the same way you reduce ISI (inter symbol interferance) in a multi-level communications system.

However as I've noted this is an overly simplistic way to do it, so that the basic idea can be seen. In reality because the carrier file charecteristics change on a continuous basis you would use a dynamic mapping system that had a window size appropriate to the carrier files ongoing charecteristics (think a single video frame and a two dimensional distance related estimator for the pixel).

Personaly I'd not use a mapping process at all and simply use a synthetic noise source modulated on a bit by bit basis that gets added across the entire window size in a simillar way to a Low Probability of Detection (LPD) radio system works, have a look at Spread Spectrum Communications systems and their "coding gain" which was used as the basis for many "Digital Watermarking" systems.

I could go on at further length to describe a more concrete example if you wish but it would take up quite a bit of blog space which I'm loathed to do.

I couldn't believe that there are people exists who are intelligent enough to perform video file steganography, yet dumb enough to do that for Al-Qaeda.
I mean whats the point of working for those dumb, illiterate terrorists at first place?
I do not even understand their pointless motives behind their dumb acts.